The Russian Yahoo Hacking Indictment and Cyber Arms Control

United States District Court for the Northern District of California, San Francisco.

United States of America v. Dmitry Dokuchaev, a/k/a “Patrick Nagel,” Igor Sushchin, Alexsey Belan, a/k/a “Magg,” and Karim Baratov, a/k/a “Kay,” a/k/a “Karim Taloverov,” a/k/a “Karim Akehmet Tokbergenov” Defendants.

IMG_3693

Techniques of Cyber Warfare

If we include economic espionage and unauthorized hacking as a type of cyber warfare, then this indictment released yesterday opens up a window into the techniques being used by organized crime, individuals, and nation states, to get into computing systems and steal or manipulate information.

Here are a few of the techniques exposed in the indictment:

  1. Leasing servers in different countries in order to hide the nature and origin of their internet traffic;
  2. Using a number of email accounts registered with false subscriber information;
  3. Using email message loaded with “malware” that would be activated when the reader clicked on a link, e.g., “spear phishing”;
  4. Creating or “minting” of authentication cookies that would allow their browser to convince the email server of the victim that it has previously been correctly authenticated;
  5. Seeking access to spouses and children of the intended victims in order to gather additional information;
  6. Stealing of the User Database (UDB) of Yahoo — this contains subscriber information, e.g., account names, recovery email accounts, phone numbers, password challenge questions and answers, and certain cryptographic security information;
  7. Getting access to Yahoo’s Account Management Tool (AMT) by minting of authentication cookies; and other techniques.

Specific People Were Targets of Attack

Judging from the indictment, the hackers focused primarily on Russian nationals, or people who in some way were associated with a Russian interest.  Here are a few examples of targets:

  1. Multiple users in a Russian financial firm;
  2. Senior board member of a Russian financial firm, and his wife and secretary;
  3. Access to email accounts on a Russian webmail provider (perhaps “mail.ru”);
  4. An assistant to the Deputy Chairman of the Russian Federation;
  5. A managing director, a former sales officer, and a researcher, all of whom worked for a major Russian cyber security firm;
  6. An officer of the Russian Ministry of Internal Affairs assigned to that Ministry’s “Department K,” its “Bureau of Special Technical Projects,” which investigates cyber, high technology, and child pornography crimes;
  7. A Russian official who was both Chairman of a Russian Federation Council committee and a senior official at a major Russian transport corporation;
  8. The CEO of a metals industry holding company in a country bordering Russia;
  9. A prominent banker and university trustee in a country bordering Russia;
  10. An advisor to a senior official in a country bordering Russia.

In addition, one of the hackers ran an e-commerce scam on the side and seemed to have earned a bit of money from it. The indictment demands seizure a grey Aston Martin DBS and a black Mercedes Benz C54, among other assets such as a number of PayPal accounts.

Alleged Violations of U.S. Law

There are a number of violations cited in the indictment. They can be divided up into classes:

General hacking violations. Conspiracy to commit computer fraud and abuse 18 USC §1030(b); Unauthorized access to protected computers 18 USC §1030(a)(2)(C); Damaging protected computers §1030(a)(5)(A); and Trafficking in counterfeit access devices §1029(a)(1).

Espionage. Conspiracy to commit economic espionage §1831(a)(5); Economic espionage §1831(a)(1); Conspiracy to steal trade secrets §1832(a)(5); Theft of trade secrets §1832(a)(1). These charges involve the access to Yahoo’s proprietary software that controls the User Data Base (UDB) and Account Management Tool (AMT).

It is interesting that the espionage charges relate only to Yahoo, whereas there also were other companies compromised.

Fraud and Identify Theft. The other charges related to Computer Fraud and Abuse §1020(b); Wire fraud §1349 (moving the money to and from PayPal and getting people to pay for products after being tricked into going to a different website); and Aggravated identity theft §1028(a).

The Precedent of Filing Criminal Charges for Spying

The defendants involved are associated with the Russian Federal Security Service (FSB) [Федеральная служба безопасности Российской Федерации (ФСБ)] which is an intelligence and law enforcement agency of the Russian Federation and a successor service to the Soviet Union’s Committee of State Security (KGB) [Комите́т госуда́рственной безопа́сности (КГБ)].  Their office is in the old KGB headquarters building in Lubyanka Square in Moscow. The FSB is a military service of the Russian Federation.

It should be noted that the FSB is different from Russia’s Foreign Intelligence Service of the Russian Federation (SVR) [Слу́жба вне́шней разве́дки (СВР РФ)]. 

As a comparison, in the United States the CIA is responsible for foreign intelligence, and the FBI for criminal intelligence within the United States.

So the bulk of the espionage efforts by the defendants appears to be a Russian investigation of Russians. But the investigation was taking place inside US “cyber” territory. Other parts involve non-Russian citizens.

Does this set a precedent? Here are a few questions raised by this incident:

  • Will it become common for the United States to file criminal charges against agents of foreign intelligence services?
  • If that happens, then will foreign governments begin to file criminal charges against individuals in the United States who are involved in espionage?

This blogger knows of no other time in history when espionage and intelligence activities by nation states has been subjected to this type of legal procedure.  Does this set a dangerous precedent? Only time will tell.

Cyber Arms Control

Ultimately if there were a criminal investigation underway by the FSB, and the criminal investigation was of Russian nationals, then there should be a way for the FSB to file a surveillance request to US authorities, and then get assistance in the criminal investigation. This could happen if there were some type of reciprocal agreement for each country to aide the other in law enforcement actions. At this time, there is no such mechanism of international cooperation between governments that would allow this type of coordination.

This is one of the problems that could be solved by negotiation of an international convention for the control of cyber weapons.